Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 24. Software -Networking/EncryptionNext

24.5. Create the /usr/bin/sign.sh program file

The openssl ca commands has some strange requirements and the default OpenSSL config doesn't allow one easily to use openssl ca directly. Therefore, well create this sign.sh program to replace it. Create the sign.sh program file, touch /usr/bin/sign.sh and add to this file: 

         #!/bin/sh
         ##
         ##  sign.sh -- Sign a SSL Certificate Request (CSR)
         ##  Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 
         ##
         #   argument line handling
         CSR=$1
         if [ $# -ne 1 ]; then
         echo "Usage: sign.sign <whatever>.csr"; exit 1
         fi
         if [ ! -f $CSR ]; then
         echo "CSR not found: $CSR"; exit 1
         fi
         case $CSR in
         *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
         * ) CERT="$CSR.crt" ;;
         esac
         #   make sure environment exists
         if [ ! -d ca.db.certs ]; then
         mkdir ca.db.certs
         fi
         if [ ! -f ca.db.serial ]; then
         echo '01' >ca.db.serial
         fi
         if [ ! -f ca.db.index ]; then
         cp /dev/null ca.db.index
         fi
         #   create an own SSLeay config
         cat >ca.config <<EOT
         [ ca ]
         default_ca	= CA_own
         [ CA_own ]
         dir	= /etc/ssl
         certs	= /etc/ssl/certs
         new_certs_dir	= /etc/ssl/ca.db.certs
         database	= /etc/ssl/ca.db.index
         serial	= /etc/ssl/ca.db.serial
         RANDFILE	= /etc/ssl/ca.db.rand
         certificate	= /etc/ssl/certs/ca.crt
         private_key	= /etc/ssl/private/ca.key
         default_days	= 365
         default_crl_days	= 30
         default_md	= md5
         preserve	= no
         policy	= policy_anything
         [ policy_anything ]
         countryName	= optional
         stateOrProvinceName	= optional
         localityName	= optional
         organizationName	= optional
         organizationalUnitName	= optional
         commonName	= supplied
         emailAddress	= optional
         EOT
         #  sign the certificate
         echo "CA signing: $CSR -> $CERT:"
         openssl ca -config ca.config -out $CERT -infiles $CSR
         echo "CA verifying: $CERT <-> CA cert"
         openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT
         #  cleanup after SSLeay 
         rm -f ca.config
         rm -f ca.db.serial.old
         rm -f ca.db.index.old
         #  die gracefully
         exit 0

Now, make this program executable, and change its default permissions: 
         [root@deep] /# chmod 755 /usr/bin/sign.sh

Tip: You can also find this program sign.sh in the mod_ssl distribution under the mod_ssl-version/pkg.contrib/ subdirectory, or on our floppy.tgz archive file. Also note that the section [ CA_own ] must be changed to refect your own environment and don't forget to change the openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT line too.

PrevHomeNext
The /etc/ssl/openssl.cnf fileUpCommands -often used
  
 
  Published under the terms of the Open Publication License Design by Interspire